From patchwork Sat May 17 09:26:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4255 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a32a:b0:656:592e:a137 with SMTP id jh42csp2049209mab; Sat, 17 May 2025 02:26:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUbqIhbpADH9b0n7VtUsdXqjw2mrgytXFii86GQ0+CLBJo1TAsI9dVuU40B/gRd5zowMQCT7uAJQ/w=@openvpn.net X-Google-Smtp-Source: AGHT+IFC01VyLLLgSxFrka+4lSw4EGxKCGIyzN6n24e7d/CU+/FK46tRA52AiVAo9ueflN+bdkBK X-Received: by 2002:a05:6830:2a17:b0:72b:9cb4:acf with SMTP id 46e09a7af769-734f6b851ebmr4388170a34.25.1747474016191; Sat, 17 May 2025 02:26:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747474016; cv=none; d=google.com; s=arc-20240605; b=QUA71oVdNNQDY+AljNq4Els5+3GjLAwbGiIO92j1fvMHupiHm23zLP9Fmqp3TGtx5I cZ8MM+cCoEcjb8+vTNCxqssmzX07oYmss/mkELzyzQiYp6m4uin5tw9N07qhM23gohbc kjYe0SoskRu4Uo6naa9l5t/Yq9raEchPIwnpnMoP5na5h9cNbwFX21JgEHUW/LhegSgi fqieGmzKuqqTp0mEeEdyain93YRNTQxRknqe1p7wjYo8BrMn8oFAS1TehyJKY57QZY/W HpYkxdfJPy91CZVGiKDyaWQ1EVc/5qrG/bJbD9KI55uPMZKchBS71+OEnFPpizCWlHzD lrlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=bQvBW8L+uZUCLx0mGN6/Gibvl+W/7L3y9quA9W5rPAQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=T6DQt47OIYlgdvANh/Z++XLL0neT0uiM+iQ4Sog5T27CbpafWZfWqYm2N5U26ikiaX RCKcxy7SPJ1EZLKVqRdoVyT9ctBHc16D6WGdAi1HdMgg6po1sqCBKVxNTzRe/cWfKKbV pVq8w0TyDoaAXClwSxh+8M6SwrMJDNuhgKsXkyRFS9S93ZdBm6RkuzJ6N81zVUBCWSOy Rjq4RKrQt17b7K7RAY6u7rUcP4dwAVbl/NQMt0McVE0mmAQYEVTPzqB4LaZu5vn6TTZq LA2DGWpMQ63A0QlSOQZ3CcnVEScReT6UyPHYdP/wtjB28UG0oC0duzCtnI9A4lRcjn3S gHiQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=i0RUdoco; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=T5u72CnS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=kxZUZGNT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-734f6b8a835si2072398a34.197.2025.05.17.02.26.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 May 2025 02:26:56 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=i0RUdoco; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=T5u72CnS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=kxZUZGNT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=bQvBW8L+uZUCLx0mGN6/Gibvl+W/7L3y9quA9W5rPAQ=; b=i0RUdocoL+pb6O7NUuEtNH1fNs vWSZKhalyfBnWrwaAkRCtV2Qkg1lxOIQc2eq1QEoA89pxyLfzWgBGyEQEsfDmg7ydLoEhF2o+aeYT WUJnJEskw2/u06NpvMWDZyltjUNPlVSMgyQnHAy4lpsYNHi+ueDzFRHZPIcGrB9dfI94=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uGDok-0007q9-8V; Sat, 17 May 2025 09:26:54 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uGDoi-0007q2-UB for openvpn-devel@lists.sourceforge.net; Sat, 17 May 2025 09:26:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+g8LlJcEwV7R4TY5diZI3QJW2vOblvtQUBWZ5UlrD3Y=; b=T5u72CnSfnAwujGz5GcRP+EpH9 HWuSprbZ2xxZlMt5LIIX3znXJlz/hDCFUtgghR3yZqjq/1p9OJzB8zyU6bUkYqJ72qHBwwdLjzdIi 4V5Imr1n017V/j/7iQYRM7XFrp2CjlQlgHhryJuNQ+TndvUJmcNmEYxrqTqhMffEyVGY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+g8LlJcEwV7R4TY5diZI3QJW2vOblvtQUBWZ5UlrD3Y=; b=kxZUZGNTLmhUuQ9ItYo2V1vXY/ K0pKB7B1Uj6EBf6k3LLyFn1lN0oQIPOXGkKpYccW7SSoXwL38DbVib8njq4/7TNEW6odj1iHpzBGm 7NqaTsoQ49ZjBy1aGteA3dDad3DK8+ta4YuCiigUZlSUEUrUbJKAj/iOZu/mnr515f88=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uGDog-0008FF-Q3 for openvpn-devel@lists.sourceforge.net; Sat, 17 May 2025 09:26:52 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 54H9Qdur002136 for ; Sat, 17 May 2025 11:26:39 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 54H9QdMP002135 for openvpn-devel@lists.sourceforge.net; Sat, 17 May 2025 11:26:39 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 17 May 2025 11:26:26 +0200 Message-ID: <20250517092637.2103-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Heiko Hund With --dns-updown in place we no longer need --dns option related vars in the environment for other script hooks. Code for doing that is removed and the function to set --dns stuff made static, for in [...] Content analysis details: (1.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in bl.score.senderscore.com] 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Rejected by SPF record] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uGDog-0008FF-Q3 Subject: [Openvpn-devel] [PATCH v28] dns: don't publish env vars to non-dns scripts X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1832359314039167875?= X-GMAIL-MSGID: =?utf-8?q?1832359314039167875?= From: Heiko Hund With --dns-updown in place we no longer need --dns option related vars in the environment for other script hooks. Code for doing that is removed and the function to set --dns stuff made static, for internal use only. Change-Id: I3fb01ab76cf3df0874ba92e08f371d17607a8369 Signed-off-by: Heiko Hund Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/840 This mail reflects revision 28 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 19de321..221e9a9 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -350,93 +350,6 @@ } } -static void -setenv_dns_option(struct env_set *es, - const char *format, int i, int j, - const char *value) -{ - char name[64]; - bool name_ok = false; - - if (j < 0) - { - name_ok = snprintf(name, sizeof(name), format, i); - } - else - { - name_ok = snprintf(name, sizeof(name), format, i, j); - } - - if (!name_ok) - { - msg(M_WARN, "WARNING: dns option setenv name buffer overflow"); - } - - setenv_str(es, name, value); -} - -void -setenv_dns_options(const struct dns_options *o, struct env_set *es) -{ - struct gc_arena gc = gc_new(); - const struct dns_server *s; - const struct dns_domain *d; - int i, j; - - for (i = 1, d = o->search_domains; d != NULL; i++, d = d->next) - { - setenv_dns_option(es, "dns_search_domain_%d", i, -1, d->name); - } - - for (i = 1, s = o->servers; s != NULL; i++, s = s->next) - { - for (j = 0; j < s->addr_count; ++j) - { - if (s->addr[j].family == AF_INET) - { - setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, - print_in_addr_t(s->addr[j].in.a4.s_addr, IA_NET_ORDER, &gc)); - } - else - { - setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, - print_in6_addr(s->addr[j].in.a6, 0, &gc)); - } - if (s->addr[j].port) - { - setenv_dns_option(es, "dns_server_%d_port_%d", i, j + 1, - print_in_port_t(s->addr[j].port, &gc)); - } - } - - if (s->domains) - { - for (j = 1, d = s->domains; d != NULL; j++, d = d->next) - { - setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); - } - } - - if (s->dnssec) - { - setenv_dns_option(es, "dns_server_%d_dnssec", i, -1, - dnssec_value(s->dnssec)); - } - - if (s->transport) - { - setenv_dns_option(es, "dns_server_%d_transport", i, -1, - transport_value(s->transport)); - } - if (s->sni) - { - setenv_dns_option(es, "dns_server_%d_sni", i, -1, s->sni); - } - } - - gc_free(&gc); -} - #ifdef _WIN32 static void @@ -554,6 +467,93 @@ #else /* ifdef _WIN32 */ static void +setenv_dns_option(struct env_set *es, + const char *format, int i, int j, + const char *value) +{ + char name[64]; + bool name_ok = false; + + if (j < 0) + { + name_ok = snprintf(name, sizeof(name), format, i); + } + else + { + name_ok = snprintf(name, sizeof(name), format, i, j); + } + + if (!name_ok) + { + msg(M_WARN, "WARNING: dns option setenv name buffer overflow"); + } + + setenv_str(es, name, value); +} + +static void +setenv_dns_options(const struct dns_options *o, struct env_set *es) +{ + struct gc_arena gc = gc_new(); + const struct dns_server *s; + const struct dns_domain *d; + int i, j; + + for (i = 1, d = o->search_domains; d != NULL; i++, d = d->next) + { + setenv_dns_option(es, "dns_search_domain_%d", i, -1, d->name); + } + + for (i = 1, s = o->servers; s != NULL; i++, s = s->next) + { + for (j = 0; j < s->addr_count; ++j) + { + if (s->addr[j].family == AF_INET) + { + setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, + print_in_addr_t(s->addr[j].in.a4.s_addr, IA_NET_ORDER, &gc)); + } + else + { + setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, + print_in6_addr(s->addr[j].in.a6, 0, &gc)); + } + if (s->addr[j].port) + { + setenv_dns_option(es, "dns_server_%d_port_%d", i, j + 1, + print_in_port_t(s->addr[j].port, &gc)); + } + } + + if (s->domains) + { + for (j = 1, d = s->domains; d != NULL; j++, d = d->next) + { + setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); + } + } + + if (s->dnssec) + { + setenv_dns_option(es, "dns_server_%d_dnssec", i, -1, + dnssec_value(s->dnssec)); + } + + if (s->transport) + { + setenv_dns_option(es, "dns_server_%d_transport", i, -1, + transport_value(s->transport)); + } + if (s->sni) + { + setenv_dns_option(es, "dns_server_%d_sni", i, -1, s->sni); + } + } + + gc_free(&gc); +} + +static void updown_env_set(bool up, const struct dns_options *o, const struct tuntap *tt, struct env_set *es) { setenv_str(es, "dev", tt->actual_name); diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 4cc1e73..c56d603 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -168,14 +168,6 @@ struct dns_updown_runner_info *duri); /** - * Puts the DNS options into an environment set. - * - * @param o Pointer to the DNS options to set - * @param es Pointer to the env_set to set the options into - */ -void setenv_dns_options(const struct dns_options *o, struct env_set *es); - -/** * Prints configured DNS options. * * @param o Pointer to the DNS options to print diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3c1632f..810bb56 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1059,11 +1059,6 @@ setenv_local_entry(es, o->ce.local_list->array[i], i+1); } } - - if (!o->pull) - { - setenv_dns_options(&o->dns_options, es); - } } #ifndef _WIN32 @@ -4182,7 +4177,6 @@ if (success) { dns_options_postprocess_pull(&o->dns_options); - setenv_dns_options(&o->dns_options, es); #if defined(_WIN32) || defined(TARGET_ANDROID) tuntap_options_copy_dns(o); #else